Just over five weeks since the new Digital Operational Resilience Act (DORA) came into force, many banks and financial services firms are still struggling to get their full compliance in order.
In fact, close to half of all financial institutions are still not meeting the stringent compliance requirements for DORA, which could put them at risk of substantial fines, according to an industry insider.
These fines could reach up to 1% of their worldwide daily turnover for up to six months, potentially costing firms millions.
“Given the complexity of the regulation and the ongoing pressure to balance security needs with broader business goals, it’s no surprise that many financial institutions are falling behind,” said Richard Lindsay, principal advisory consultant at Orange Cyberdefense.
“The financial services sector is under constant threat, and while DORA aims to increase resilience, it also requires significant changes to operations,” he added.
Nevertheless, Lindsay did stress that DORA, a European Union regulation aimed at bolstering the resilience of the financial sector against digital threats, has garnered widespread support across the financial services space.
He said most senior security decision-makers acknowledge its value in strengthening the financial ecosystem. However, many institutions are struggling to navigate the complexities of the regulation.
DORA is among several recent and emerging regulations in the EU, created to enhance and standardise requirements for enterprise cyber resiliency.
The rules are specifically for financial entities operating across the EU 27, including banks, insurance companies, credit agencies and more, and third-party service providers that serve them.
“DORA requires significant changes to operations.”
– Richard Lindsay
Lindsay went on to discuss a recent Censuswide survey of hundreds of CISOs and senior security experts in the UK found that while there is broad support for DORA, compliance remains a significant hurdle.
He singled out several key barriers to compliance, including a lack of prioritisation from wider organisations, a short timeline, insufficient knowledge or skills, and a lack of visibility over third-party partners.
To address these issues, a staggering 97% of respondents have already planned or are planning to rely on external support, Lindsay disclosed.
He added that “this comes as no surprise, given the already stretched cybersecurity teams, which are dealing with overlapping regulations like the Network and Information Systems Directive 2 (NIS2),” which came into effect in October 2024.
While many institutions have allocated sufficient budgets to meet DORA compliance, budget constraints remain a concern.
“Most respondents report that their organisations have allocated enough funds, and many are reassigning resources,” Lindsay noted.
However, most senior security professionals predict that DORA will significantly increase long-term cybersecurity costs.
Lindsay stressed that the urgency around DORA compliance is not just about regulatory pressures but also about the escalating cyber threats facing the financial sector.
“The likelihood of a breach has never been higher,” he warned.
DORA’s regulations include essential measures for protection, detection, containment, recovery, and repair, along with oversight of ICT third-party risks to mitigate these risks.
The enforcement of DORA is overseen by national regulators within each EU member state with the power to impose penalties for non-compliance. They are directly supervised by lead overseers from the European Supervisory Authorities.
“The path to DORA compliance is undeniably challenging, but the benefits – building operational resilience and avoiding fines – are significant,” Lindsay concluded, adding that “for many financial institutions, the time to act is now, before it’s too late.”
As DORA took effect last month, on January 17, financial institutions now need to adopt a universal framework that focuses on Information and Communication Technology (ICT) risk management.
This framework aims to bolster digital resilience in the financial sector, which handles some of the most sensitive data globally, Hughes noted.
However, there is a growing concern that digital resilience is not being adequately prioritised at the board level.
Many UK CISOs feel their IT budgets do not fully align with the board’s objectives to meet regulatory requirements. As a result, costs are growing.
Mounting costs
Despite many UK finance firms not being fully compliant yet, it is becoming increasingly clear costs are mounting for banks and other financial services institutions.
In fact, the sector is experiencing a “serious financial strain” as they work to meet the requirements of DORA, which came into force on January 17.
It has emerged that nearly half of all Britain-based financial institutions spent more than €1 million in the last two years to prepare for or implement these regulations.
Moreover, over a quarter allocated more than €500,000, according to James Hughes, VP of solutions engineering and enterprise chief technology officer at Rubrik, a US-based could data management and data security company based in Palo Alto, California.
While these regulations aim to increase operational resilience and safeguard sensitive data from evolving software security threats, the costs of compliance are significant, Hughes shared.
Despite the increased investment, ransomware remains the most prominent threat, with close to half of financial organisations citing it as their top concern, he continued, as he discussed a recent survey carried out by his firm.
Other threats include third-party compromises (and vulnerabilities in software supply chains, the London-based insider said.
The increasing threat landscape, especially third-party risks, makes regulatory compliance necessary, albeit costly.
“Understanding what data is the most critical, where that data lives, and who has access to it is essential for identifying, assessing, and mitigating ICT risks,” Hughes said.
“If good hygiene practices like these are not followed, organizations could face hefty fines from [UK financial services regulator] the Financial Conduct Authority,” he stressed.
Hughes added that “while regulators are increasingly stringent, many CISOs feel their budgets don’t reflect the board’s commitment to compliance, which could jeopardize both security posture and the ability to meet evolving regulatory demands.”
DORA as an ‘opportunity’
Some lawyers argue that DORA may create an opportunity for UK businesses as it could give them “a competitive advantage,” as one legal mind puts it, as DORA’s impact will not merely be limited to EU-based businesses, warned Charlotte Witherington, a partner at international law firm Taylor Wessing.
London-based Witherington pointed out that “as the UK navigates its post-Brexit relationship with the EU, it is important to understand how the UK’s equivalent plans to ensure operational resilience impact UK businesses but also how the more progressed EU legislation can impact a technology business in the UK, regardless of whether it directly serves FEs in the EU.”
It is important for UK businesses, whether they are themselves FEs or they provide ICT services to FEs, to understand the implications of DORA in the context of the UK’s post-Brexit regulatory environment, Witherington continued.
She explained in a recent blog post that, before Brexit, the UK’s financial regulations were closely aligned with EU standards, including those related to digital operational resilience. This alignment allowed for cross-border operations for UK-based financial entities.
However, after leaving the EU, the UK retained a substantial part of the EU’s financial legislation but has since begun to review and, in some cases, diverge from EU regulations.
“To that end, the UK is in the process of introducing its own DORA equivalent (UK DORA), meaning that UK technology businesses with FE customers in the EU will need to navigate two regulatory regimes in parallel,” Witherington wrote in a recent DORA analysis.
“The EU’s DORA is significantly more progressed than UK DORA,” she added, although she did stress that “insights from the UK’s existing approach to operational resilience may be informative for making comparisons.”
“As the UK seeks to build its status as a global technology hub, it’s worth mentioning the opportunities created by DORA.”
– Charlotte Witherington
Both the UK and EU frameworks mandate the identification of critical business services or functions and require some form of operational resilience testing.
“The UK’s existing approach involves firms identifying ‘important business services’ and determining their ‘impact tolerance,’ with detailed considerations of various factors affecting service disruption,” Witherington pointed out.
“EU DORA mandates the creation of an ICT risk management framework, including digital resilience strategy and governance, but is less granular in requiring businesses to set impact tolerances for each critical function or service.”
Despite the uncertainty among many financial services firms, and the impression within the industry DORA has become a major challenge for many banks and finance companies, the legislation should not be seen as an obstacle.
In fact, Witherington does see some opportunities for UK businesses with regards to DORA.
“As the UK seeks to build its status as a global technology hub, it’s worth mentioning the opportunities created by DORA for UK technology businesses,” she explained.
“FEs, and ICT providers, will need to strategically plan for DORA compliance, considering the implications for ICT risk management, third-party provider relationships, and incident response mechanisms.”
Witherington stressed this may involve investments in technology, processes, and skills development, creating an opportunity for those at the forefront of technological innovation as well as industry heavyweights, “whose trust and reliability in the eyes of customers, and regulators, could become an increasingly competitive advantage,” as she put it.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
NEXT MONTH
WATCH NOW
READ MORE
- Antithesis swells finserv footprint as autonomous testing gains traction
- Deep Dive: will AI replace QA teams, or simply make them more valuable?
- BrowserStack snaps up Requestly to expand open-source testing
- Eximius leads pre-seed round in rising QA star DevAssure
- AI testing takes centre stage in Bank of England’s data transformation
